The unidentified criminals behind the infamous Rustock botnet were paying at least $10,000 a month for US-based command and control servers prior to a successful takedown operation last week.
Instead of using bulletproof hosting outfits (rogue ISPs normally based in eastern Europe) that ignore takedown notices, the botherders …

No public cloud for my company

It might be equally valid to say:

If I were the Microsoft Corporation, I would not be sleeping well knowing that the full resources of a team capable of building an umpty-something-thousand node botnet were available to a load of crooks with an axe to grind.....

Yes

Well yes, that would work

But doing so would be illegal, since the running of the clean-up program would not be authorized by the user (similar thing was proposed in Conficker). Even if you were to place a page that said something like "Microsoft has found a Virus on your system, please run this program to clean it up", while legal, will only cause more damage.

A program to clean this infection has already been getting distributed by Windows Update, unfortunately Update functionality has been disabled on the compromised systems.

How to takedown botnets

good idea

Get back under your bridge troll!

I'm an OSX and Ubuntu user exclusively but even I recognise the fact that MS did everyone a huge favour by removing these scum from operation, yet you people still have to have a pop with your silly little digs about Windows!

No, I won't!

And, pray, why not take another dig at MS? They have been a pain in the bottom for umpty years spreading their malware that allows the creation of the resource stealing spam bots. About time they started cleaning up their mess and do not deserve more than token thank you for it. Certainly not a reason to begin using their product nor continue to do so. The faults and holes are still there, waiting for another exploit.

Tsk

Market share, pure and simple. You can bang the drum all you want, those of us that haven't drank the Kool-Aid know if OSX or (gasp!) Linux was the market leader there'd be rife attacks against them. Granted the holes might be fixed faster, but then you'd have an OS that criminals would be competing to get malevolent code committed to the next build. And hey, then everyone that updates is infected.

Tsk

Given the...

number of critical holes patched in Linux and OS X on a regular basis, neither user base has a cause to brag. They can be smug for the time being, because people aren't exploiting these holes.

Look at the recent CSW competion, where Safari fell in a few seconds, look at the bug fixes in the last Kernel Log for Linux. In an interview after the CSW conference, Charlie Miller stated that the flawed ASLR and DEP implementations in OS X made it much easier to attack than Windows.

Don't forget, the first worms and viruses ran on UNIX and derivative systems, long before Windows was even a gleam in Bill's eye...

Virus writing is a big money game and Linux and OS X PCs don't make an attractive target, which means that the writers concentrate on the bigger targets - Java, Flash and Windows. With Java and Flash, you are suddenly cross-platform.

I've done enough securtiy research and bug testing, that I would never look at any OS as being secure against malware attack.

Am I a Windows fanboy? I use an iMac, SUSE Linux, Ubuntu and Windows 7 on a daily basis and don't really have a favourite.

Follow the money...?

So the non-technical route to finding the culprits would be to follow the money trail back from these ISPs. It seems to me that I thought it would be harder to completely hide your financial trail like this?

Meh

I figure if you're into cyber crime this hard, you just pay for everything with stolen credit cards. And if you really want to pay for it yourself, the friendly banking laws of Switzerland and other countries can supposedly stop paper trails before they get back to you.

Thank You Microsoft

No love lost here for Microsoft, but I'm glad to see they have become pro-active in helping fight this SPAM crap. Whining about how bad Windows is, is counter-productive. It (Windows) exists and it's good to see MS using some of it's vast resources to shut these folks down. They have the resources and the low-level code access to both detect and pursue this junk.

Eh

I'm a long time Linux geek myself, but Microsoft stopped being the devil years ago. They've been at the plate fighting malware and spam, so to speak, for most of this decade. It would be more accurate to say "about time they finally accomplished something significant". Their products are still lacking IMHO, but the company on the whole is getting more resposible.

So let me get this striaght...

MS thinks that they are a force to be reckoned with in net security? In many cases these spam botnets are partially caused by MS' inadequacy in patching and development in the first place. How can anyone with a straight face make any comment like that...baffles my mind. I think a more worrying comment is the fact that a botnet has had the ability to be active for this long without being properly understood by supposed 'experts;

@L1feless

"How can anyone with a straight face make any comment like that...baffles my mind."

I don't doubt that it does. Anyone with a couple of braincells to rub together will accept that OS security vulnerabilities are a fact of life. All OS suffer from them and all OS get patched but as has already been said above Rustock disables Windows Update. Anyone without will remain baffled.

One thing that can be said...

Microsoft actually did something useful.

Of course, they needed help doing it, and some incentive (Hotmail), but at least they have some good things to do. Now if they would direct some of this energy to other tasks, we would ALL be in a better world.

Every once in a while, Microsoft does something...

... that earns them a bit of grudging respect from me.

As a GNU/Linux enthusiast, I tend to eschew Microsoft products (though I do use them at work out of necessity), and stick to Debian-based distros.

I used to have a fairly constant and high-level antipathy towards the company (MS), but my view has softened a bit over the past eighteen months or so. My dislike of the company now waxes and wanes, depending on its level of cooperation with the F/LOSS (Free/Libre` Open-Source Software) Community, and on how it wields its patent portfolio. Microsoft has shrewdly embraced some elements of Open-Source philosophy in a bid to remain relevant, but still needs to be watched with a wary eye.

(I personally think Microsoft's patent suit against Barnes & Noble and Foxconn over the Nook is out of line. But in an interesting and ironic development, Microsoft has managed to escalate the suit brought by i4i over "custom XML" editing support to the U.S. Supreme Court, which could deal a serious blow to software patents if the court rules in favour of Microsoft.)

However, whenever a company like Microsoft offers its resources to take down a major botnet (and track down its herders while they're at it), its a welcome development.

Money Trail

"paying at least $10,000 a month "

That's a lot of money to be moving. What is the status on the money trail? It is a lot easier to move small amounts of money over the net anonymously, so there should be some sort of a trail. I have yet to see any mention of it.

But um.

Just out of interest, what would really stop these crims from just morphing the thing into something even worse with far more destructive qualities than anything ever seen.. I mean really!!!

MS is near powerless to stop all these assaults from the home pc users perspective because MS doesn't have the right to run any remote cleaning functions unless its through the AUS (Automatic Update Service).

Even more worryingly a lot of Home users do not run their updates regularly enough to even do anything to help. My company ran an independent survey ages ago targeting over 1000 Windows base pc users (home / small office environment only) and asked them how often they did the AUS.

Out of 1000 users only 397 people said they allow it to run automatically without user interaction. The rest said they tend to just leave the notification up and do nothing about it.

Defaults to update

Cuz uhh

The servers responsible for controlling the botnet where seized. Gist of it is that them attempting to re-assert control would be incredibly difficult and risky. Them taking the codebase and re-building it again is on of the major dangers the article talked about, but those machines aren't taking commands anymore.

I'm just wondering how the legal precedent they've created is going to be misused.

14.4kb?

I don't think you in-laws need worry about Rustock. It would've given up using their machine, as downloading the first 200k would surely look like a duff connection. And, as you say, it'd prolly drop out first.

Where is the income?

Good questions.

As also the question:

How does the money get back to the bot-herders?

In order for it to be worth their while there must be a mechanism to get money back to the people running the operation - the 'companies' are presumably paying the bot-herders to get people to buy stuff from them,

Monetary Gain

To Anonymous Coward (2 above):

Money is made in the spam industry as follows:

Company A (Producer of inferior quality/fake pharmaceuticals) contacts Company B (Spamming Company) either directly or through an underground message board for people looking for spammers. Spamit was a recent one that got taken down.

Company B then agrees to email out a large amount of emails for a certain price. I'm not sure of current rates, but it could be something like 5,000 per 1 million emails or what have you.

Company A makes it profits by having a certain percentage of the people that get the spam (even less then 0.05 percent would give them a good profit) actually purchasing their crapola. Also, they can then, if they wish, potentially take the purchasers credit card details and take them to the cleaners.

Shirley...

However, why is it not possible to trace the transaction between sucker X and Company A? Particulalry if the sucker is taken to the cleaners and has his credit card maxed out by the scammers, there should be an audit trail from the credit card company. Obviously, there must be some mechanism by which this money is laundered. In my eyes, it is this money laundering operation that should be being targeted by the relevant law enforcement agencies...

Spam levels way down

A couple of days ago I checked the serverlogs: over 1 week, the incoming mail was down by a factor of 8 compared to the same week last year. 280-ish emails compared to over 2000 per week the previous year. All but a dozen or two of those are spam.

Over the past year or so I've found that my low-tech procmail filter, honed over almost a decade, has needed less and less update-work (now only once every couple of months) to keep the passed spam down to a minimal level.

MS action: Nothing to do with operating systems

And everything to do with MSN/Hotmail being overwhelmed by the volume of SMTP connections - even DNSBL rejects take some effort and tie up resources.

Personally I'd have liked to see a perp walk but I can understand why MS simply took down the network first - having said that, Rustock's takedown hardly affected our enduser spam volumes, but it dropped connection attempts to the mailswervers by about 50% (we use DNSBL lookups to refuse ~99.5% of all incoming mail before the DATA phase.)

Given the operators are effectively untouchable by law enforcement I've wondered a few times if "extreme predjudice" operations would be in order.